⬅️ Need help getting started? Check out our guide to Running Your First Scan.
Scan More Effectively
Now that you’ve successfully scanned your application, ensure the scanner is covering your entire attack surface by completing the following checks:
Secure Your API Endpoints
Most modern web applications rely on one or more APIs for communication between the browser and back-end systems. To effectively scan these APIs, provide the scanner with an API definition. StackHawk supports the following technologies:
Check out our video for a quick overview of API scanning:
REST (OpenAPI)
The OpenAPI Specification (AKA Swagger) is an industry-adopted standard for describing RESTful interfaces, which HawkScan can use to deliver a faster, more thorough scan. If you already have an OpenAPI definition for your REST API, you can add it to your scan configuration by specifying it in your stackhawk.yaml
file:
# in the "app" config...
app:
openApiConf:
# Specify the path relative to the host
path: "/openapi.yaml"
If you are working with an internal API or an API without a definition, we’ve compiled some resources on how to generate a definition:
For more information about how to configure HawkScan for your REST API, see HawkScan OpenAPI Configuration.
GraphQL
StackHawk is leading the way in securing GraphQL APIs - our scanner has the capability to perform introspection on your GraphQL API to discover the available operations and generates the corresponding routes to test.
Configure GraphQL in HawkScan using the following stackhawk.yaml
parameters:
# in the "app" config...
app:
graphqlConf:
enabled: true
schemaPath: /graphql # relative path to the introspection endpoint
operation: MUTATION
requestMethod: GET
For more information about how to configure HawkScan for your GraphQL API, see HawkScan GraphQL Configuration.
SOAP
SOAP API schemas use XML to define the structure of its operations. The schema is made available through a WSDL file, offering a machine-readable format for how the web service works.
Configure SOAP in HawkScan using the following stackhawk.yaml
parameters:
# in the "app" config...
app:
# specify the relative path to an SOAP API WSDL (prefix the path with / to pull from the target host)
soapConf:
path: soapAPI.wsdl # OR...
filePath: /soapAPI/v1?wsdl
For more information about how to configure HawkScan for your SOAP API, see HawkScan SOAP API Configuration.
Configure Seed Paths
For paths that can’t be accessed by the HawkScan spider, Seed Paths can be configured in your stackhawk.yaml
to ensure HawkScan finds specific endpoints or routes in your application.
Parameter | Default | Description |
---|---|---|
.seedPaths |
[] |
List of paths to supplement the spider. These paths will be used as additional starting points for crawling your application. Useful for paths that are not crawlable from the root of your application. For example, /admin . |
Configuration example:
# in the "hawk.spider" config...
hawk:
spider:
seedPaths:
- "/admin"
- "/support"
Learn more about configuring HawkScan in HawkScan Configuration.
- 🙋 Need a hand? Our support team is here to help.
- ✅ Ready to move on? Next up: Automating in CI/CD